Post on 15-Jan-2016
1
A TCAM-based solution for integrated traffic anomaly detection and policy filtering
Author:Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang
Publisher:Computer Communications 2009
Presenter:Hsin-Mao ChenDate:2009/9/30
2
Outline
IntroductionBackgroundArchitectureData StructuresPacket ProcessingPerformance
3
Introduction
Distributed Denial of Service (DDoS) attacks are the major threats to the Internet.
The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.
4
Background
Two-dimensional(2D) matching
A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.
5
Background
6
Background
TCP Packet Header
Source Port Number(16) Destination Port Number(16)
Sequence number(32)
Head len(4)
Unused(6)
URG
ACK
PSH
RST
SYN
FIN
Window Size(16)
Header Data
(bit)
7
Background
Three Way Handshake Client Server
TimeTime
FIN
FIN+ACK
ACK
8
Architecture
9
Data Structures
Format of action code
(0)Policy Filter Rule
(1)Flow Identity
(0)Not Pass to the local CPU
(1)Pass to the local CPU
Forwarding ActionFlow index in the flow table located in the local CPU
Free bits
10
Data Structures
Format of flow table in the local CPU
(00)Empty Entry
(01)Unmatched existing flow
(10)Excepted flow
(11)Matching existing flow
FIN and ACK bits are used to terminate a pair of completed flows
Flow location in the TCAM rule tableTimer: Talm, Tidl, Trmv
11
Packet Processing
Packet in new flow
<1.2.3.4, 5.6.7.8, 80, 1028, 6>
TCAM table
Flow table
12
Packet Processing
Packet in expected flow
TCAM table
<5.6.7.8, 1.2.3.4, 1028, 80, 6>
13
Packet Processing
Packet in matched flow
TCAM table
14
Packet Processing
Packet with FIN and/or ACK bit set
TCAM table
FINFIN+ACKACK
15
Performance
False alarm probability
Pfalse=(1-p)n-1p
16
Performance
Average time an attack to be monitored
Trace 1 Trace 2
17
Performance
Number of falsely alarmed flows per second